Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Reporting

Reply
Highlighted

DNS Firewall Executive Threat Report

Adviser
Posts: 244
1716     2
<form>
  <label>DNS Firewall Executive Threat Report</label>
  <description>System-created dashboard: Please clone before editing.</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
        <label>Time</label>
        <default>
          <earliest>-1w</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="dropdown" token="topn_clients">
        <label>Top N Clients/Rules</label>
        <choice value="5">5</choice>
        <choice value="10">10</choice>
        <choice value="20">20</choice>
        <choice value="50">50</choice>
        <default>10</default>
      </input>
      <input type="dropdown" token="topn_domains">
        <label>Top N Domains</label>
        <choice value="3">3</choice>
        <choice value="5">5</choice>
        <choice value="10">10</choice>
        <default>3</default>
      </input>
      <input type="text" token="hit_count">
        <label>Hit Count (eg: &gt;10)</label>
        <default>&gt;=0</default>
      </input>
  </fieldset>
  <row>
    <panel>
      <title>Malicious Activity by Client</title>
      <chart>
        <search>
          <query>index=ib_dns_summary report=si_dns_rpz_hits
                     | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)
                     | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)
                     | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)
                     | stats avg(COUNT) as COUNT by _time orig_host VIEW CLIENT DOMAIN_NAME RPZ_QNAME RPZ_SEVERITY TOTAL_COUNT MITIGATION_ACTION RECORD_DATA
                     | stats sum(TOTAL_COUNT) as CLIENT_COUNT_BY_DOMAIN latest(_time) as LATEST_TIME by CLIENT DOMAIN_NAME
                     | eventstats sum(CLIENT_COUNT_BY_DOMAIN) as TOTAL_CLIENT_COUNT max(LATEST_TIME) as MAX_LATEST_TIME by CLIENT
                     | sort -CLIENT_COUNT_BY_DOMAIN
                     | where TOTAL_CLIENT_COUNT $hit_count$
                     | dedup $topn_domains$ CLIENT
                     | eventstats values(DOMAIN_NAME) as TOP3_DOMAINS by CLIENT
                     | dedup CLIENT
                     | sort -TOTAL_CLIENT_COUNT
                     | head $topn_clients$
                     | convert ctime(MAX_LATEST_TIME) as LAST_ACTIVE
                     | eval CLIENT = CLIENT + "               "
                     | rename CLIENT as "Client ID", TOTAL_CLIENT_COUNT as "# Hits", TOP3_DOMAINS as "Domains", LAST_ACTIVE as "Last Active"
                     | table "Client ID" "# Hits" "Domains" "Last Active"
                     | fields "Client ID" "# Hits"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.data.preview">true</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisTitleX.text">Client ID</option>
        <option name="charting.axisTitleY.text"># Hits</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Malicious Activity by Client</title>
      <table>
        <search>
          <query>index=ib_dns_summary report=si_dns_rpz_hits
                     | eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)
                     | eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)
                     | eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)
                     | stats avg(COUNT) as COUNT by _time orig_host VIEW CLIENT DOMAIN_NAME RPZ_QNAME RPZ_SEVERITY TOTAL_COUNT MITIGATION_ACTION RECORD_DATA
                     | stats sum(TOTAL_COUNT) as CLIENT_COUNT_BY_DOMAIN latest(_time) as LATEST_TIME by CLIENT DOMAIN_NAME
                     | eventstats sum(CLIENT_COUNT_BY_DOMAIN) as TOTAL_CLIENT_COUNT max(LATEST_TIME) as MAX_LATEST_TIME by CLIENT
                     | sort -CLIENT_COUNT_BY_DOMAIN
                     | where TOTAL_CLIENT_COUNT $hit_count$
                     | dedup $topn_domains$ CLIENT
                     | eventstats values(DOMAIN_NAME) as TOP3_DOMAINS by CLIENT
                     | dedup CLIENT
                     | sort -TOTAL_CLIENT_COUNT
                     | head $topn_clients$
                     | convert ctime(MAX_LATEST_TIME) as LAST_ACTIVE
                     | eval CLIENT = CLIENT + "               "
                     | rename CLIENT as "Client ID", TOTAL_CLIENT_COUNT as "# Hits", TOP3_DOMAINS as "Domains", LAST_ACTIVE as "Last Active"
                     | table "Client ID" "# Hits" "Domains" "Last Active"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">off</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Top DNS Firewall Hits</title>
      <table>
        <search>
          <query>index=ib_dns_summary report=si_dns_rpz_hits
                     | fields RPZ_QNAME TOTAL_COUNT
                     | stats sum(TOTAL_COUNT) as RPZ_HIT_COUNT by RPZ_QNAME
                     | where RPZ_HIT_COUNT $hit_count$
                     | sort -RPZ_HIT_COUNT
                     | head $topn_clients$
                     | eventstats sum(RPZ_HIT_COUNT) as ALL_HIT_COUNT
                     | eval RPZ_HIT_PCT = round(RPZ_HIT_COUNT * 100 / ALL_HIT_COUNT, 2)
                     | addthreatstopdetails rpzorip RPZ_QNAME
                     | rename RPZ_QNAME as "RPZ Rule", RPZ_HIT_PCT as "Percentage", RPZ_HIT_COUNT as "# Hits", public_description as "Description"
                     | table "RPZ Rule" "Percentage" "# Hits" "Description"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">off</option>
      </table>
    </panel>
  </row>
</form>
If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.
Showing results for 
Search instead for 
Do you mean 

Recommended for You